Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Open Sesame: Picking Locks with Cortana

Slides of our Blackhat USA 2018 talk:
Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.

The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.

Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.

In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.

We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.

14.
Cortana Skills
• Cortana can be extended with
cloud based “skills”
• A Skill is an Azure bot registered
to the Cortana channel
• Receive all user input after an
invocation name
• Interacts with the Cortana client
using Cards that include voice,
text and LIMITED COMMANDS
14

18.
Putting Murphy to Work
• Set up a research project with the
Technion
• Undergraduate students exploring
different aspects of the system
• Some avenues we explored
• Local input to Cortana
• Intents that invoke exploitable actions
• Intents that retrieve malicious
content
• Capabilities of 3rd party Cortana skills
18

23.
Open Sesame: Attack Model
• Impact:
• by Abusing The “Open Sesame” vulnerability, “Evil Maid” attackers can gain
full control over a locked machine
• Evil Maid attack model:
• Attackers have physical access for a limited time, but the Computer is locked
• Why it’s called Evil Maid?
• Think of the laptop you left in your room last night when you went out…
• But also borders control, computers in the office during breaks and night, …
• But isn’t that exactly what Locked Screen suppose to stop?
23

24.
Lock Screen: You Had One Job
• Lock Screen is not magic!
• Lock Screen is merely another
“Desktop” ( Winlogon desktop )
with very limited access
• The security stems from the
reduced attack surface
• If Microsoft adds more apps on
Lock Screen: The attack surface
expands → security is reduced
24

27.
“Open Sesame” Root Cause
• Lock screen restricts keyboard, but allows Cortana invocation through
voice
• Once Cortana is invoked, the Lock Screen no longer restricts it
• Cortana is free to accept input from the keyboard too
• The fix: Make Cortana Search UI state aware. Different behavior when
the UI is locked
• Shift of responsibility:
• In the past, the OS made sure the UI is not accessible when computer is
locked, therefore developers do not need to think about it.
• Now, it’s the developers’ responsibility
27

29.
“Open Sesame” Summary
• Impact: Evil Maid Attackers can gain full control on a locked machine
• The fix is
• Tactical: making Cortana Search aware of UI state
• Not Strategical: Cortana still gets keyboard input and launches processes from
a locked screen in some other scenarios
• There are more where it came from: CVE-2018-8369
• Design lessons: Adding more capabilities to Lock Screen is very
tempting, but dangerous
29

39.
The Voice of Esau
• Impact: Evil Maid or even remote attacker can invoke unsafe
browsing on a locked machine. Using additional vulns attacker can
gain full control
• The fix is
• Tactical: making Cortana cloud aware of UI state and safely Bing instead of
direct browse in certain scenarios
• Not Strategical: Cortana may still allow unsafe browsing in some other
scenarios
• There are more where it came from: CVE-2018-8271 (and more)
• Design lessons: Adding more capabilities to Lock Screen is tempting
but dangerous
39

55.
Takeaways: Defenders
• For the time being:
• Disable Cortana voice in corporate
environments
• Or at least on locked screen
• Reconsider when compensating
controls are there
• “voice firewall”: If voice
becomes mainstream,
considering specialized solutions
is a must for corporate adoption
55
https://www.pcgamer.com/how-to-disable-cortana/

56.
Takeaways: Builders & Breakers
• New interfaces are much more than “just an interface”
• When introducing innovative concept into existing environments
• Secure Coding is not enough
• We need Secure System Engineering
• We found 3 different CVEs and numerous issues that enables
attackers to bypass the lock screen
56